Were the Home Depot and Target breaches the work of the same attackers? Only a few people seem to be in a position to know, and so far, they arent telling. However, we can still learn a lot from the similarity of the incidents.

The two companies are clearly relatedretailers doing very large numbers of relatively small credit card transactions. They arent banksthe classic Willie Sutton remark about robbing them because thats where the money is doesnt apply.

Classic criminology can be helpful here. Similar to any detective, its worth thinking about motive, means, and opportunity. Motive hasnt changed much  its easy to see why some people would steal money, so long as its easy enough. Most of the time its no longer about getting out of the building with heavy bags slung over the shoulder marked SWAG.

What about means? Those do change  new attack tools are continuously being developed, and are increasingly automated. This means that when an attack works once, its likely to work again, and automation allows attackers to sit back and have computers hunt down any other victims who are vulnerable in the same way. These days, trawling with a dragnet seems to be the preferred means of fishing for many attackersit's easy to catch a lot of fish this way, and it removes the trouble and expense of identifying targets in advance. Just automatically twist doorknobs, all across the Internet, and come back later to see which doors popped open, and whats behind them.

But the really big issue is opportunity. Here, Im afraid the data speaks for itself  the rate of new breach reports has greatly increased in the last few years. It may not be that breaches have become more common  it may simply be that people are willing or required to admit it now. But its certainly clear that attackers are able to land all kinds of shiny fish, without much difficulty, whether they are trawling with a planet-sized dragnet, or individually spearing a specific, tasty-looking big fish. Why is this?

When it comes to the third leg of the stoolopportunitywe've made it all too easy for attackers. I want to be clear: Im not blaming over-worked and under-staffed security teams for this. The problem is deeper, and is a more ingrained to the way we do business today.

We build extremely complex infrastructure, and we change it around very quickly, in the quite legitimate name of business agility. After all, our organizations exist to do business, not to operate with absolute assurance. Unfortunately, one of those laws of organizational physics is similar to cosmic physics: entropy happens. As we pile up complexity and make changes at speed, information is inevitably lost  records of which assets are for which business purpose. But this simple organizational point means that defenders are at a gross disadvantage compared to attackerschaos plays to the advantage of the guy who only needs to find one way in, while the complexity makes the defensive job extremely hard.

Ironically, one of the better ways for IT operations to keep upand I mean the application folks, not security  is to copy trusted designs that show proven ability to keep cash registers ringing. The problem is this leads directly to IT monoculturethe same tools and infrastructure used over and over. So we create a pretty compelling environment for would-be bad guyswe operate infrastructure we cant see or understand, and better yet, we copy it company to company. How do they respond? They copy the attacks, company to company.

How can security teams keep up under this pressure? Its tough. We cant control the motive or the means for attackerswe'll always be tempting targets if were making money, and the means are outside our control. We have to focus on opportunity, but as noted, that comes from the double whammy of IT mono-culture, plus inability to keep up with mapping and understanding our defenses as things change.

Taking the first of those, its not likely to fly with the CIO and CEO if we say our organization must use different tools from other companiesthey understand the business imperative to ensure availability and uptime. So if we want to break down at least one of the triad of motive, means, or opportunity, we really only have one choice: operate our security defenses better than the next guy, by automating our discovery, mapping, and analytics capabilities. And if that sounds like the old adage that you dont have to outrun the bear, you just need to outrun your camping buddy, well, thats only funny because its true!